Description

Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exposed in the REST API response at /api/user/v1/accounts/. This issue has been patched in the ulmo release.

INFO

Published Date :

2026-04-02T18:29:01.740Z

Last Modified :

2026-04-02T18:29:01.740Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34736 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34736.

URL Resource
https://github.com/openedx/openedx-platform/commit/ad342ae16e6af0b46460ca05f47697ac755feba8 cve-icon cve-icon
https://github.com/openedx/openedx-platform/security/advisories/GHSA-m6rg-rp98-4crw cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact